Tag: breach

Financial services group Liberty Life sent out an SMS to their clients on Saturday evening informing them of a major security breach.

Liberty launched an investigation after its systems were hacked, and said the hackers alerted the company to potential vulnerabilities in its systems and were now demanding compensation.

The Sunday Times reported that the hackers obtained sensitive information about some top clients and have demanded payment of millions of rand not to release the data.

Liberty has communicated with its customers regularly, advising them to change passwords as applicable.

Liberty Life hack could be ‘an inside job’: expert

A security expert has questioned how hackers gained access to Liberty Life clients’ information, suggesting it could have been an inside job.

The financial services provided confirmed on Saturday that its information technology system was hacked last week, by people who demanded payment. It has since regained control of the system.

“It most likely happened in one of two ways: it was either an inside job or someone with the correct privileges was hacked, which means that they could have used that person’s permissions to get into the system,” said managing director of Ukuvuma Cyber Security, Andrew Chester.

He said the hack could have been avoided by applying general data security practices such as encrypting sensitive data, segregating it from vulnerable systems, and building in rigorous access control and monitoring systems.

“Why did Liberty have unstructured email data and attachments that were left unmonitored and more importantly, why was this sensitive data not encrypted? When doing threat-hunting or a security analysis for any company, the first thing one looks for is how easy it is to extract data without being detected.

“Additionally, how did the hackers know where to find the data? If it was an inside job they might have been tipped off, but if it wasn’t, it means that they spent enough time on the infrastructure to know where to look, which is very alarming,” he said.

Chester said it was also concerning that no-one detected the breach until the hackers themselves informed the company.

“There’s a common saying that you sometimes don’t know you’ve been hacked until law enforcement comes knocking at your door, but in this case, Liberty only found out once the criminals had contacted them,” he said.

The company said its investigation into the breach was at an “advanced stage”.

An ’embarrassing’ leak shows the European Union has fallen short of its own data protection laws.

The European Commission’s website has published 700 records, including the names, addresses and mobile numbers of conference attendees, according to a report.

Officials in Brussels admitted the authority that designed the rules is not itself compliant with the General Data Protection Regulation (GDPR).

The Commission has previously warned that those who breach these rules, which came into force last week, could face millions in fines.

Following the leak, a spokesperson said the authority was exempt from GDPR laws for ‘legal reasons’.

Officials in Brussels will follow a similar set of new laws that ‘mirror’ those laid out in GDPR.

These rules will not enter force until autumn, according to the Telegraph.

The spokesperson added that the Commission is ‘taking and will continue to take all the necessary steps to comply’.

GDPR aims to strengthen and unify data protection for all individuals within the EU, which means cracking down on how companies use and sell user data.

Under GDPR, companies are required to report data breaches within 72 hours, as well as allow customers to export their data and delete it.

Companies scrambled to comply with the rules before they were ratified on May 25 with the Commission threatening hefty fines for those who breached them.

The bureaucracy’s website exposed 700 records that include people’s names, professions, and even some postcodes and addresses.

Officials in Brussels admitted the authority that designed the rules is not itself compliant with the General Data Protection Regulation. GDPR aims to strengthen and unify data protection for all individuals within the EU.

The records, some of which featured the private information of Britons, were collected during EU meetings and conferences and stored on data spreadsheets.

Tech website Indivigital found the documents are among thousands hosted by the website Europa.eu that are freely accessible online.

Many of them could be found by simply searching for the document on Google.

This leak would constitute a breach of GDPR rules were the blunder committed by other organisations or businesses.

What is GDPR?

The General Data Protection Regulation is an EU-wide law that cam into force on May 25 2018.

It gives greater power to regulators to penalise companies who mishandle personal data or are not transparent about how their business uses it.

For consumers, it brings new powers that require firms to obtain clear consent from users before processing their data.

It also grants users a right to easily access the data collected from them and transparency on how it is being used.

Everyday users have to do very little to comply with GDPR – it’s more targeted at big online businesses.

Under the new rules, any company that controls or processes the data of EU citizens must adhere to the GDPR guidelines.

This ends territorial-based accountability used by some firms not based in the EU to previously avoid sanction.

The law also states that notification of a data breach must occur within 72 hours of being first discovered, increasing transparency around leaks.

The weight of fines able to be issued has also increased under GDPR.

Regulators will be able to issue penalties equivalent of up to four per cent of annual global turnover or 20 million euro (£17.5 million) – whichever is greater.

For tech giants such as Google and Facebook, this could mean the risk of fines running into the hundreds of millions.

Fines for such a breach can reach up to £17.5 million ($23 million) or four per cent of global turnover – whichever is largest.

Jon Baines, a data protection expert at law firm Mishcon de Reya, described the ‘irony’ of the EU’s admission.

‘Although the information disclosed here does not appear to be particularly sensitive, it does raise questions about the general level of compliance, and whether any further inadvertent disclosures have been made,’ he told the Telegraph.

Steve Gailey, security expert at database security firm Exabeam, added that the exposure ‘is embarrassing for the EU, coming hot on the heels of GDPR’.